Beruflich Dokumente
Kultur Dokumente
International
Business context
Information security management is a major issue worldwide.
The US Privacy Rights Clearing House reports that 543m records
have been breached in the US since 2005. In 2011 alone, Verizons
Data Breach Investigations Report found that 174m records were
compromised in a total of 855 data breaches in what it called an
an all-time low for information protection. This isnt just a problem
for large organizations; the same report outlined an increasing trend
that sees a growing proportion of these breaches happen in smalland medium-sized businesses, year on year.
Regulatory Compliance
In Europe, the EC is working on a major overhaul of data protection
rules to strengthen online privacy rights. It is looking to reflect the
fact that technological progress and globalisation have changed
the way data is collected, accessed and used since the EU first
Why certification?
Organizations and individuals may use the ISO/IEC 27001
standard as a framework when developing an Information
Security Management System. The scheme enables independent
external ACBs to audit the ISMS and certify that the requirements
of the standard have been met.
Certification is not compulsory, but it is evidence of independent
verification and validation of an established, embedded and
effective ISMS.
The initial process of certification is normally a three-stage audit
by an ACB beginning with an informal review and progressing
to a detailed check that the provisions of ISO/IEC 27001 have
been met. After initial certification, ACBs carry out follow-up
audits at least once a year and more usually every six months for
a large organization. These surveillance audits sample the ISMS
to verify its continued compliance. Every three years there is a
full re-certification audit to make sure the entire ISMS remains
compliant.
Holistic approach
Information security is just one of a number of areas
where organizations seek market differentiation and
independent confirmation of mature governance and
operations through certification. ISO/IEC 27001 stands
alongside the ISO/IEC 9001 quality management system
and ISO/IEC 14001 environmental management system
standards as one of the major process-based standards
to which organizations are looking to achieve certification.
These standards share a structure of creating a policybased approach supported by top management. They
also share requirements for internal auditing to make sure
that systems are effective and for that information to be
passed to top management for review. Applied together,
these standards are able to create a robust, integrated
management system.
Organizations that achieve an ISO/IEC 27001 compliant system
are already able to use parts of that development to inform
their approach to other management systems. Already many
enterprises achieve certification to both ISO/IEC 27001 and
ISO/IEC 20000-1 for IT Service Management Systems (ITSMS),
complementing ITIL implementation.
As the ISMS considers information assets and operational
environmental controls that protect those assets, further
synergies are found with BS ISO 22301:2012 which specifies the
requirements for setting up and managing an effective Business
Continuity Management System (BCMS).
What happens after initial certification?
It takes quite a concentrated effort to develop a system ready
for audit by an external party. The certification process does not
stop there, however. It is better viewed as embarking on a journey
rather than reaching a destination.
The organization must review systems and processes
continuously to ensure that information security remains effective
with the current practices in the organization, the types of
information it is holding and the way in which it is operating
systems.
Conclusion
If information security is breached, the repercussions can range from heavy
penalties to legal action that could threaten the viability of the business or
have a major impact on the funds available to deliver services.
There is a pressing need to recognise
that a holistic approach is needed to
organization-wide information security
management systems. ISO/IEC 27001
offers a framework within which
organizations can approach information
security management in a systemic way.
Thousands of organizations globally have
recognised the value of certification to
ISO/IEC 27001. The certification process
provides an expert independent validation
About APMG-International
APMG-International is a leading Examination Institute. We accredit professional
training and consulting organizations and manage certification schemes for
knowledge-based workers. We have a global reach, with regional offices
located around the world.
International